This guide explains the process of installing and using Trezor cryptocurrency hardware wallets on Qubes OS. Many people have been having issues using Trezor on Qubes so I compiled an exhaustive and ultimate guide on the process. Please comment any issues and I will help troubleshoot.
I am posting the brief instructions here. If you require more detail please see my Github.
Written by Ursidae: https://ursidaecyber.com
Step 1: Install Trezor Suite
-
Install the Trezor Suite .AppImage from the Trezor website along with the signature and signing key in a new Whonix AppVM dedicated to Trezor.
-
Verify the download.
-
Execute code:
sudo chmod u+x /Downloads/Trezor-Suite-23.4.2-linux-x86_64.AppImage
- Right click on the .AppImage file and press execute to open the application.
Step 2: Port Listening
In Trezor Whonix AppVM:
- Execute command:
sudo nano /rw/config/rc.local
- Add the following code to the file:
socat TCP-LISTEN:21325,fork EXEC:”qrexec-client-vm sys-usb trezord-service” &
- Save and exit.
Step 3: Dom0 Trezor Policy
In Dom0:
- Execute:
sudo nano /etc/qubes-rpc/policy/trezord-service
- Add this code to the new file:
$anyvm $anyvm allow,user=trezord,target=sys-usb
- Save and exit.
Step 4: Fedora Cloning
-
Clone your current regular fedora-37 template Qube and name it fedora-37-sys.
-
Clone the fedora-37-dvm Qube and name it fedora-37-sys-dvm.
-
Set the template for the fedora-37-sys-dvm as fedora-37-sys.
-
Set sys-usb’s template as fedora-37-sys-dvm.
Step 5: Trezord Service
In fedora-37-sys-dvm:
- Execute in terminal:
sudo mkdir /usr/local/etc/qubes-rpc
- Execute:
sudo nano /usr/local/etc/qubes-rpc/trezord-service
- Add this code to the file:
socat – TCP:localhost:21325
-
Save and exit.
-
Execute:
sudo chmod +x /usr/local/etc/qubes-rpc/trezord-service
Step 6: Trezor Bridge
In fedora-37-sys:
Download the Trezor Bridge .rpm file from Trezor.
- Execute:
sudo chmod u+x /Downloads/trezor-bridge-2.0.27-1.x86_64.rpm
- Then execute:
sudo rpm -i /Downloads/trezor-bridge-2.0.27-1.x86_64.rpm
Step 7: Udev rules
Note on Udev rpm use: Using the Trezor-provided Udev rpm file does not work for Qubes. See in-depth explanation section below. Use the provided Method 1 or 2 here. Use method 1 if comforable with enabling networking in template and method 2 if not.
Method 1: Manual Build
In fedora-37-sys:
- Run:
sudo nano /etc/udev/rules.d/51-trezor.rules
Copy and paste this code into the file:
# Trezor
SUBSYSTEM=="usb", ATTR{idVendor}=="534c", ATTR{idProduct}=="0001", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"
KERNEL=="hidraw*", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl"
# Trezor v2
SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c0", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"
SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c1", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"
KERNEL=="hidraw*", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="53c1", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl"
-
Save and exit.
-
Execute:
sudo chmod +x /etc/udev/rules.d/51-trezor.rules
OR
Method 2: Curl Installation
-
In fedora-37-sys enable networking.
-
Install curl:
sudo dnf install curl
- Download Udev rules:
sudo curl https://data.trezor.io/udev/51-trezor.rules -o /etc/udev/rules.d/51-trezor.rules
- Allow execution:
sudo chmod +x /etc/udev/rules.d/51-trezor.rules
- Revoke fedora-37-sys networking permissions.
Step 8: Install Trezor Dependencies
In the Trezor Whonix AppVM:
- Install pip:
sudo apt install pip
- Execute:
pip3 install –user trezor
AND
In fedora-37-sys:
-
Allow networking.
-
Execute:
sudo dnf install trezor-common
- Revoke networking permissions in fedora-37-sys.
Done.